Design/Logic Flaw

vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widgettabbedcontainertabpanel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759. ALSO NOTE: CVE-2020-7373 is a duplicate of CVE-2020-17496. CVE-2020-17496 is...

vBulletin 5.x /ajax/render/widget_tabbedcontainer_tab_panel PHP remote code execution.

This module exploits a logic bug within the template rendering code in vBulletin 5.x. The module uses the vBulletin template rendering functionality to render the 'widgettabbedcontainertabpanel' template while also providing the 'widgetphp' argument. This causes the former template to load the...

CVE-2020-17496

Vulnerability: vBulletin 5.5.4–5.6.2 allows remote code execution via crafted subWidgets data in ajax/render/widget_tabbedcontainer_tab_panel requests. Root cause: an incomplete patch for CVE-2019-16759 left a logic bug in widget handling, enabling pre-auth code execution. Impact: remote PHP code...

vBulletin 5.x Remote Code Execution Exploit

This Metasploit module exploits a logic bug within the template rendering code in vBulletin 5.x. The module uses the vBulletin template rendering functionality to render the widgettabbedcontainertabpanel template while also providing the widgetphp argument. This causes the former template to load...

vBulletin 5.6.2 - (widget_tabbedContainer_tab_panel) Remote Code Execution Exploit

Exploit for php platform in category web applications Exploit Title: vBulletin 5.6.2 - 'widgettabbedContainertabpanel' Remote Code Execution Exploit Author: @zenofex Vendor Homepage: https://www.vbulletin.com/ Software Link: None Version: 5.4.5 through 5.6.2 Tested on: vBulletin 5.6.2 on Ubuntu...